ctipilot.ch

Home · Live brief · Daily brief 2026-05-08

MuddyWater (Iran/MOIS) deploys Chaos ransomware as false flag; harvests credentials via Teams

notable threat discovered 2026-05-08 05:00 UTC single-source

Part of run 2026-05-08-migrated (intel · unknown)

Security researchers documented a refreshed campaign by MuddyWater (attributed to Iran's Ministry of Intelligence and Security, MOIS), targeting government contractors and defence-adjacent organisations in Europe and the Middle East. The campaign deploys Chaos ransomware payloads with branding designed to mimic criminal ransomware groups — a deliberate false-flag technique intended to complicate attribution and delay incident response triage. A parallel social-engineering vector uses Microsoft Teams external-access invitations to gain remote-assistance sessions under a helpdesk pretext, after which credentials are harvested and used for further access via legitimate cloud services. Observed ATT&CK techniques: T1566.004 (Spearphishing via Teams), T1649 (Steal or Forge Authentication Certificates), T1486 (Data Encrypted for Impact). This is a single-source threat-intelligence vendor disclosure.

nation-state espionage ransomware phishing identity iran-nexus europe middle-east